Feature request: session timeout

[Younghyun Jo]

I can write session timeout code in application level.
But I want web2py has it.
Because it give more secure environment.

ASP and JSP have this function.

[Massimo Di Pierro]

I could but the problem is that timeout depends on user's parameters:

- the timeout time

- what happens on timeout.

Moreover I do not think session should ever expire because they can be used for tracking, not just authentication. It is just that on timeout user should be logged out. How user is logged out/in is very application specific. I suggest you create a model file called models/ltimeout.py that contains

    import time

   TIMEOUT=30*60 # seconds 

   PATH_ON_TIMEOUT='/%s/default/logout' % request.application

    if session.lastrequest and session.lastrequest<time.time()-TIMEOUT and    request.env.path_into!=PATH_ON_TIMEOUT:

          #optional if you don't care about tracking usage: session.clear()

          redirect(PATH_ON_TIMEOUT)   

    session.lastrequest=time.time()

and create a controller default/logout that performs the logout. I do not think you need more. This is secure.

Massimo

[voltron]

Hi Massimo! Maybe you should consider making this a core function in
web2py, I just read up on security and session management. here is the
document:

http://lukemurphey.net/Whitepapers/Session%20Management.pdf

[Massimo Di Pierro]

admin session expire since version 1.26. If you want to expire your
own session:

1) assuming you use session.authorized to determine whether the user
is logged in
2) set session.lasttime=time.time() immediately after login
3) place at the top of your controller:

if session.lasttime and session.lasttime<time.time()-600:
session.authorized=False
if session.authorized: session.lasttime=time.time()

600 indicates that session will expire in 600 seconds.

Massimo

[voltron]

Cool! Thanks! :-))